Cyber security Tiered approach to cyber security preparedness in water National Sector What I am Company utilities in the UK going to Water UK good practice cover… NIS Directive Dr Jim Marshall, Senior Policy Advisor, Water UK Cyber Water Workshop 2018 Tuesday 9 October 2018 Period of change – industry under spotlight Cyber risk – generic (data) and specific (ICS / SCADA) Approach to NIS Times they security in Malicious threats… global, local, disgruntled employee are a changin’ Industry reform .. New players, new activities, new risk water… Extreme weather – freezing to heatwave in the space of a few months customers expect service • National strategy DEFEND We have the means to defend the UK against evolving cyber threats, to respond effectively to National incidents, to ensure UK networks, data and systems are protected and resilient. Citizens, businesses and the public sector have the knowledge and ability to defend themselves. DETER The UK will be a hard target for all forms of • Defra strategy and guidance aggression in cyberspace. We detect, understand, UK National investigate and disrupt hostile action taken against us, Tiered • Water UK support Cyber pursuing and prosecuting offenders. We have the Sector structure means to take offensive action in cyberspace, should Strategy we choose to do so. DEVELOP We have an innovative, growing cyber security industry, underpinned by world leading • Plans and procedures scientific research and development. We have a self ‐ sustaining pipeline of talent providing the skills to meet our national needs across the public and private Company sectors. Our cutting ‐ edge analysis and expertise will enable the UK to meet and overcome future threats and challenges.
To realise this vision, government and the water sector will work towards the following objectives: 1. Understand threats: Build on our joint work to develop our shared understanding of the cyber threats facing the water sector as they evolve. 2. Manage risks: Develop and implement approaches to manage risks and address cyber security vulnerabilities in the water sector, now and in the future. Established 6 principles for good cyber security 3. Manage incidents: Respond effectively, with industry, to any serious cyber incidents, including those that compromise critical water infrastructure. Water UK Supported each with recommendations and examples 4. Develop capabilities: Government and sector enhance the cyber skills and Defra strategy capabilities of the water sector to meet future needs. of good practice Cyber good and guidance Intended as a tool for companies to use in building practice Underpinning these objectives, we will seek to: their own cyber security capabilities 5. Strengthen collaboration: Strengthen collaboration between government and the water sector and within the water sector. Water companies must own, understand and manage the risks to their assets, including Critical National Infrastructure. Industry, therefore, has responsibility for the security of their systems. Government will help set the strategic direction and ensure the legal framework supports industry, as well as providing technical advice and, where necessary, training. Industry will need to develop a security ‐ conscious culture amongst staff and third party providers and integrate this into their governance structures. Robust and accountable cyber security governance Manage cyber risk and compliance Recommendation 1: Create strong governance Principle 1 – structures that ensure cyber security is considered and proactively managed, with ownership and accountability from the robust and top of the company. Ensure all our people are cyber aware Our 6 accountable Principles Make best use of good threat cyber security intelligence governance Recommendation 2: Develop and maintain policy Improve incident response documents, standards and guidelines. Manage procurement, third parties and supply chain proactively Recommendation 5: Continue to increase awareness and cyber skills within their wider workforce. Recommendation 3: Demonstrate that cyber risks are Principle 2 – accommodated within the risk management system. Principle 3 – manage cyber ensure all our risk and people are compliance Recommendation 4: Develop continuous improvement cyber aware proactively initiatives aimed at addressing threat, risk and readiness.
Recommendation 6: Identify sources of good, reliable and credible intelligence. Principle 4 – Principle 5 – Recommendation 8: Ensure incident response and make best use improve recovery plans are in place and tested. of good threat incident Recommendation 7: Encourage industry knowledge intelligence response sharing and participation. The Directive is not just cyber but covers all risks to networked service provision or where network failures can impact service Recommendation 9: Understand the interactions with Requires establishment of national operators of Principle 6 – existing third party service providers and the reach essential services within water company operations. manage NIS Directive Each MS to identify the entities subject to security and notification obligations where a cyber incident could procurement, (EU2016/1148) have significant disruptive effect or “measures for high third parties Operators of essential services required to adopt common level of security Recommendation 10: Actively ensure third parties are and supply of network and security requirements to: aware of, and comply with, their obligations and the information systems Prevent risks chain policies of cyber security within your organisation, across the Union) Ensure security appropriate to risks from procurement to ongoing contract management. proactively Handle incidents – minimise impact Notification to competent authority of “incidents having a significant impact on the continuity of essential services” +voluntary notifications of other NIS Directive words suggest four key overarching objectives that help structure any set of cyber security principles. Organisations that deliver essential services should have: A. appropriate organisational structures, policies, and processes in place to understand, assess and systematically manage security risks to essential services; B. proportionate security measures in place to protect essential services and systems from cyber ‐ attack; NIS Directive ‐ NIS Content C. capabilities to ensure security defences remain effective and to structure detect cyber security events affecting, or with the potential to affect, essential services; D. capabilities to minimise the impacts of a cyber security incident on the delivery of essential services including the restoration of those services where necessary. The objectives usefully align with the NIST Framework top ‐ level functions IDENTIFY, PROTECT, DETECT, RESPOND, RECOVER
Collected set of strategy, guidance and good practice working towards our vision Incident reporting – Talked about government, collaborative sharing, Summary and what’s in or impact of NIS conclusions out of scope is Outcome ‐ Secure, proportionate and trusted water a big question sector providing an essential public health service
Recommend
More recommend
